Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
Showing
- private/domain.te 2 additions, 1 deletionprivate/domain.te
- private/ephemeral_app.te 4 additions, 0 deletionsprivate/ephemeral_app.te
- private/heapprofd.te 31 additions, 17 deletionsprivate/heapprofd.te
- private/isolated_app.te 4 additions, 0 deletionsprivate/isolated_app.te
- private/priv_app.te 4 additions, 0 deletionsprivate/priv_app.te
- private/untrusted_app_all.te 4 additions, 0 deletionsprivate/untrusted_app_all.te
- public/te_macros 45 additions, 10 deletionspublic/te_macros
Loading
Please register or sign in to comment